MMD-0017-2014 - A post to sting Zeus P2P/Gameover crooks :))23 Mar 2014
The BackgroundThis end of week, Zeus P2P Gameover (in short: GMO) is having a large campaign by utilizing Upatre (with using latest version to download encrypted ZZP file w/many extensions) which are riding the Cutwails spambots (I checked those by IP and templates). As so many good writings and coverage stated out there, these recent GMO is having a new trend to use Necurs Rootkit, sending new callback (with POST /write) HTTP header to the CNC, dropping themself (GMO payloads) with the polymorphic hashes to evade detection, thus tons of randomized DGA to fire P2P callbacks for the botnet functionality purpose (the last one is apparently not new).
Shotly, this new "trend" with the large volume of campaign brought my interest, so I started to collect what came up to my honeypot from March 18, 2014 until today as the background of this post.
The Quick Research
And the below is the list of analysis I did in Virus Total, see the comment of each post for the details:
There are many interesting details about this threat, like VRT (link) and CERT Polska (link), which are very good reports! Since I am dead busy right now, so please kindly bear with this short post, and I won't wrote much of etc technical details covered in previous reports by others. SO I want to stress here is only one aspect: the DGA callback domains used by GMO (as per below picture) which wasn't covered much in prev. articles, but it is important to understand and learned since the DGA used by GMO is having their weak points to be used stop or mitigate the threat, and giving the bad actor behind the scene a "sting" :))
What's with these "Lame" DGA?
By skipping the details of reversing binaries for security purpose and and comparing the result in the forensics, I collected these callbacks as per below list of domains:
aqivobfijnxoprdqldqqkvwdix,comThese are the "Lame DGA" that GMO uses, means these are strings that are being decoded in the malware binary and without seeds, a wannabe DGA (Domain Generation Algorithm) which is not randomized and the logic of extracting each strings is in the GMO binary itself for the listed samples I stated above. One doesn't have to be a reverser to figure some of these "Lame DGA" domains are used & spotted over and over in many samples. So why so many domains made, and "looks" to be randomized in name? "Maybe" they (as of GMO crooks) want us to think as DGA to avoid blocking actually. It is an insult to decent people's intelligent and will be a massive big #FAIL for the crooks itself if people starting to aim cannon for this weak spot (yes, friends, aim your cannon there, THERE!).
What? Blocking? Is it blockable? Not a decoy or something? Are these really activated? < Answer of all these generally are "YES!", and also could be a decoy too (if they're not going to activate these domains anyway). Great, isn't it? :D
Activation, IP Information & Getting Closer to CNC??
As the PoC: Now (TODAY to be precised) I found four of the domains above is actually activated and ALIVE:
aulbbiwslxpvvphxnjij,biz, "50,116,4,71 DNS1-5,REGISTRAR-SERVERS,COM"
peucehqxsgmzhgujfsoeihmpvhiz,info, "212,71,235,232 NS1-4, MONIKERDNS,NET"
tcvkwsbqnjhjobgyttklnfxo,com, "23,239,140,156 NS1-4,MONIKERDNS,NET"
zxjzaypibnjayfmpzpalkbaunzl,com, "178,79,178,243 DNS1-2,NAMESECURE,COM"
bjvinbegehaukxdsmfzpeq.com, "126.96.36.199 NS61.DOMAINCONTROL.COM"
daeemibxfaifxocuaevklr.net, "188.8.131.52 NS1-4.MONIKERDNS.NET"
mftodqwheaiozkbzduwjzydwkonv.com "184.108.40.206 DNS1.REGISTRAR-SERVERS.COM
xsjbizzdydceiztcdobtwugisokv.com, "220.127.116.11 NS1-4.MONIKERDNS.NET"
qkdapcqinizsczxrwaelaimznfbqq.biz, "18.104.22.168 DNS1.NAMESECURE.COM"
These 4 (four) and just added one new (will add more) IP addresses, which are also not ISDN/pool IP, but a static IP, and two of them are in the status of Corporate ones. So if you think that these four IPs are the peer-tp-peer's or infected PC's IP, the answer is no, and please start to deduct the further investigation step on why GMO is collaborating these IPs.
ADDED: Cut the crap! What's the connection of the DGA to CNC??
I was asked many questions about what's this DGA actually does. I will try to write simple explanation as per follows, sorry to my fellow researchers to burp this fact here, because "some people" are starting to think that I am trying to sell "candy bar" here..
Gameover is rapidly requested DNS for the active IP address of CNC by using this DGA, "WITH OR WITHOUT internet connection" (since I heard a noise said to prevent internet connection to make GMO querying lots of domain..which is just WRONG).
Even the connection of internet exists, GMO will request the rapid calls as per screenshot PCAP above (see below for re-post)
The purpose is to confuse researchers and they are aiming only one (or max: two) IP address(es) of CNC that actually being registered under "few" of "tons" of lame DGA domains. To be more clear, take a look of the PoC below:
Receiving the IP address from the DGA requested, then GMO can send request to the CNC as per below PoC in real:
This is the connection, and how the DGA is actually very important for Gameover communication to the CNC, blocking these DGA will block its communication to CNC, and without CNC connection GameOver is just "another" bonnet without master's command and control and will work on peer to peering each other without any control from the herder < this is the connection you all asked for, this is the attack point. (Forgive me the God if InfoSec to burp this info out in public here, there is no way I can convince others without telling this fact loud and clear..)
What's the point??
Below are my points, I make it as simple as possible:
1. Get these DGA domain registration info! These DGA is registered only by the bad actor, is not hacked sites, is not a hacked domains. We have tons of experience now for nailing crook's ID by this method, so please extract the information from your known registrars and please passed to law enforcement immediately.
2. A suggestion; Chance to catch "in the act". The unregistered domains will likely to be registered sooner or later after the current ones are blocked/suspended, so it is a good for registrars, CERT and law enforcement to make an extra effort: A list, or better yet, an Auto Block Scheme and maybe a Direct Alert System to be sent to law enforcement to trap the crook's collaborated channels to be "caught in the act" to be legally investigate.
3. Do it NOW. GMO coders is implementing the logic of the DGA in the GMO binary which are stuff that is not easily remake, unless redeveloping big part of the current malware, so we can hope this scheme lasts for a while, so it is a chance for good guys! :-))
4. Words for the "malware crooks": I really love to see malware "crooks's" faces while they're reading this post :P) A few words for the malware coders from us; We are security engineers here, we reverse stuffs very good, we investigate things deep, don't make us coming at you now, STOP your coding malware practise and get the decent work like all of us. Life, no matter what, is never easy, let's code something useful & positive even we only receive few pennies for it.
Additional & Follow up
Mr. Conrad Longmore was extracting more related DGA via verdicted IP addresses above, thank's Conrad so we don't have to crack binary per binary to get these. Please visit Dynamoo Blog in the link below:
What we are posting here is the knowledge for awareness of many PC users, the victims who are getting many hits by this malware's infection, whose credentials were stolen in some botnets panel by these GMO's affiliated gates/panels, to inform you that actually there are so many methodology that can be applied and executed to stop the malware infection scheme that is coming from/using internet. As long as the good guys are still in control in the networking and internet, the scheme to stop malware infection via malvertisement can always be applied.
The only problem is always: HOW BAD we REALLY want to stop these malware?